Wildcard subdomain limit

nurhun · December 27, 2020, 7:41pm

Dears,

My wildcard certificate was working fine with subdomains, but suddenly newly created subdomains are not secured, it gives invalid certificate, however it works fine for previously created instances ?! Is there a limit on subdomains number, like ...

1.my-domain.com
2.my-domain.com
.
.
.
100000.my-domain.com

My domain is: pharmacistplace.com
I ran this command: wildcard
My web server is (include version): Apache2
The operating system my web server runs on is (include version): ubuntu 16.04

JuergenAuer · December 27, 2020, 7:50pm

Hi @nurhun

checking your domain there is no real problem visible - https://check-your-website.server-daten.de/?q=pharmacistplace.com#ct-logs

Issuer	not before	not after	Domain names
Let's Encrypt Authority X3	2020-11-20	2021-02-18	112233.pharmacistplace.com, 3182020.pharmacistplace.com, 92020.pharmacistplace.com, accountingtest.pharmacistplace.com, ahmedshokry.pharmacistplace.com, citypharmacy.pharmacistplace.com, demo101.pharmacistplace.com, demo102.pharmacistplace.com, demo103.pharmacistplace.com, demo104.pharmacistplace.com, demo105.pharmacistplace.com, demo106.pharmacistplace.com, demo107.pharmacistplace.com, demo108.pharmacistplace.com, demo109.pharmacistplace.com, demo110.pharmacistplace.com, demo201.pharmacistplace.com, demo202.pharmacistplace.com, demo203.pharmacistplace.com, demo204.pharmacistplace.com, demo205.pharmacistplace.com, demo206.pharmacistplace.com, demo207.pharmacistplace.com, demo208.pharmacistplace.com, demo209.pharmacistplace.com, demo210.pharmacistplace.com, dwaa.pharmacistplace.com, faragtest.pharmacistplace.com, final-test-r.pharmacistplace.com, homos2.pharmacistplace.com, ibnsina-demo.pharmacistplace.com, inventorytest.pharmacistplace.com, inventory-test-upload.pharmacistplace.com, m-salah.pharmacistplace.com, osama.atef.pharmacistplace.com, pharmacistplace.com, phms1.pharmacistplace.com, postest18-10-2020.pharmacistplace.com, r23.pharmacistplace.com, sales2.pharmacistplace.com, sdferdg.pharmacistplace.com, sdffhjytr.pharmacistplace.com, sdfsdghg.pharmacistplace.com, test.pharmacistplace.com, test2r.pharmacistplace.com, wevfgdfgetg.pharmacistplace.com 46 entries
Let's Encrypt Authority X3	2020-11-19	2021-02-17	112233.pharmacistplace.com, 3182020.pharmacistplace.com, 92020.pharmacistplace.com, accountingtest.pharmacistplace.com, ahmedshokry.pharmacistplace.com, citypharmacy.pharmacistplace.com, demo101.pharmacistplace.com, demo102.pharmacistplace.com, demo103.pharmacistplace.com, demo104.pharmacistplace.com, demo105.pharmacistplace.com, demo106.pharmacistplace.com, demo107.pharmacistplace.com, demo108.pharmacistplace.com, demo109.pharmacistplace.com, demo110.pharmacistplace.com, demo201.pharmacistplace.com, demo202.pharmacistplace.com, demo203.pharmacistplace.com, demo204.pharmacistplace.com, demo205.pharmacistplace.com, demo206.pharmacistplace.com, demo207.pharmacistplace.com, demo208.pharmacistplace.com, demo209.pharmacistplace.com, demo210.pharmacistplace.com, dwaa.pharmacistplace.com, faragtest.pharmacistplace.com, final-test-r.pharmacistplace.com, homos2.pharmacistplace.com, ibnsina-demo.pharmacistplace.com, inventorytest.pharmacistplace.com, inventory-test-upload.pharmacistplace.com, m-salah.pharmacistplace.com, osama.atef.pharmacistplace.com, pharmacistplace.com, phms1.pharmacistplace.com, postest18-10-2020.pharmacistplace.com, r23.pharmacistplace.com, sales2.pharmacistplace.com, sdferdg.pharmacistplace.com, sdffhjytr.pharmacistplace.com, sdfsdghg.pharmacistplace.com, test.pharmacistplace.com, test2r.pharmacistplace.com, wevfgdfgetg.pharmacistplace.com 46 entries
Let's Encrypt Authority X3	2020-08-30	2020-11-28	*.pharmacistplace.com, pharmacistplace.com
2 entries
Let's Encrypt Authority X3	2020-08-30	2020-11-28	*.pharmacistplace.com, pharmacistplace.com
2 entries

Two older certificates with 46 domain names. There is a 100 names limit, so that's not a problem.

TXT entries are good.

Your exact command and error message is required.

Osiris · December 27, 2020, 7:55pm

A wildcard certificate does have a few technical limits, but within those limits, there are no limits to how many label variants the certificate is valid. Here are the technical constraints: the wildcard is only valid for one DNS label. I.e., *.example.com is valid for foo.example.com but not for bar.foo.example.com, as the latter hostname has two labels on the position of the wildcard. The wildcard can only be the upmost left DNS label. I.e., *.foo.example.com is fine, but bar.*.example.com is not.

nurhun · December 27, 2020, 11:18pm

Thanks ... bur actually I'm using I label as a subdomain and issue happened.

nurhun · December 27, 2020, 11:19pm

Thank you for the detailed check .. could you check testing.pharmacistplace.com ? It's even not listed here ?

griffin · December 27, 2020, 11:45pm

Welcome to the Let's Encrypt Community

Then you let that wildcard certificate expire a month ago...

Rip · December 28, 2020, 12:05am

the "testing" subdomain is not listed on the certificate being served currently.
you could --expand the certificate or go back to a VALID wildcard certificate.
Might be your best option if your subdomains are frequently changing.

danb35 · December 28, 2020, 2:05am

Here's the cert you're serving:

As you can see, it isn't a wildcard. If you want a cert to act like a wildcard cert, it needs to be a wildcard cert.

JuergenAuer · December 28, 2020, 9:32am

The test tool is online, use it.

That's one reason I've created that tool: That other users can test their domain.

A "hidden tool" wouldn't be helpful.

nurhun · December 30, 2020, 9:33pm

That's exactly what happened, when expired month ago, I ran only "certbot --apache", I only reinstalled the main domain not the wildcard !!

Then, now I'm trying to get a wildcard cert using below but it's not working, any ideas ?!

certbot -d pharmacistplace.com -d *.pharmacistplace.com --preferred-challenges=dns --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin

JuergenAuer · December 30, 2020, 10:01pm

You can't use dns validation with Apache.

Your Apache doesn't know something about your dns configuration.

Wildcard -> dns validation -> no webserver validation.

Read

nurhun · December 30, 2020, 10:13pm

Then, I have to verify it manually ?!

certbot certonly --manual ?

JuergenAuer · December 30, 2020, 10:28pm

If your dns provider doesn't have a supported API, yes.

Check acme.sh, there are more APIs supported.

nurhun · January 3, 2021, 10:22am

Solved manually, thanks.

Now for the 100 subdomain limit, is there any way to expand this limit, even paid ?!

Osiris · January 3, 2021, 10:25am

No.